US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWS

An Oregon man has been arrested and charged amid allegations they coordinated the Rapper Bot botnet, believed to have caused huge outages on X.

Ethan Foltz, 22, has been charged in the District of Alaska with developing and administering the DDoS-for-hire botnet, which has conducted a series of large-scale cyber attacks since at least 2021.

Campaigns in August 2022 and December 2022 focused on brute-forcing devices with weak or default SSH and Telnet credentials to expand the botnet’s footprint for launching DDoS attacks.

The following year, analysis from Fortinet shows it started branching out into cryptojacking, specifically for Intel x64 machines.

At first, the attackers deployed and executed a separate Monero cryptominer alongside the usual Rapper Bot binary, later combining both functionalities into a single bot.

Also known as Eleven Eleven Botnet and CowBot, Rapper Bot mainly targeted devices like digital video recorders or Wi-Fi routers at scale, exploiting them for DDoS attacks in more than 80 countries around the world.

Victims included a US Department of Defense network and several US tech companies - most notably the X social media platform, which was hit in March this year.

Rapper Bot has been on a rampage

According to authorities, Rapper Bot has been responsible for more than 370,000 attacks since April, targeting 18,000 unique victims.

It used between 65,000 and 95,000 infected victim devices to regularly conduct DDoS attacks that amounted to between two to three terabits per second, with the largest attack believed to have topped six terabits per second.

Even the smallest of these could cost the victim up to $10,000, according to the Department of Justice (DOJ).

Foltz allegedly provided paying customers with access to what the DOJ called “one of the most sophisticated and powerful DDoS-for-hire botnets currently in existence”.

Some Rapper Bot customers, including Chinese gambling operations, extorted victims globally.

Earlier this month, law enforcement officials carried out a search warrant on Foltz’ residence in Oregon and shut down Rapper Bot’s attack capabilities, gaining administrative control. There don't appear to have been any attacks since.

“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” said US attorney Michael J. Heyman for the District of Alaska.

“Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”

Amazon Web Services (AWS) contributed to the takedown by identifying Rapper Bot’s command and control (C2) infrastructure, and reverse engineering the IoT malware to map its operations and activities.

Foltz is charged with one count of aiding and abetting computer intrusions, for which he could face up to ten years in prison.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

• Europol just took down 27 DDoS-for-hire sites
• Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks
• NCA takes down world’s most prolific DDoS-for-hire website